(Sure, I'm a security guy, and part of me agrees with some of the other comments. Sure, I'm a tech geek, and I've seen and read about some wicked cool hardhacks, unexpected softhacks, and their ilk, and even some good life hacks. But this is awesome. An arguably silly security policy sought to control a small aspect of his work-life and he gamed the spit out of it to take total control of his life, change things up, get stuff done. Best hack ever.)
Congrats on remembering your passwords, but this is a terrible way to generate them. Phrases that are relevant to you or your life are the second thing that somebody making a wordlist is going to aim for, after "password" and "letmein" and friends.
I have a word list in front of me (2000 "short" and 10,000 "long" lists), "Forgive@h3r" "Quit@smoking4ever" "Save4trip@thailand" and none of his other passwords are listed on it.
The way those passwords are constructed don't make them common enough to appear on most word lists and it would be very difficult for someone (who knows you or not) to guess them.
Now, dates of birth, or other common profile information is commonly misused in passwords and that is guessable. But that isn't what the article was about and wasn't in their examples.
I think the article rebuffs your post before you even posted it. So unless you can explain better how what the author is doing is insecure (and I highly doubt you can) your criticism seems misplaced.
I think it's clear that passwords should be VERY DIFFICULT for you to remember so that you have to reset them constantly and/or keep them in some kind of "vault" so you copy them into your clipboard all the time and accidentally paste them into chat rooms.
Is that a job title? I have cracked passwords before, yes.
> Do you have a password cracker database in front of you?
Yes? It isn't the English dictionary, it is a common password list assembled by someone else based on historical password leaks.
> Tbh the best password he could have written would probably have been a sentence like
As stated in the article, the complexity requirements didn't really allow sentences. And that is been my experience with a bunch of systems. They have artificial length limits (e.g. 20 characters) and require arbitrary types of characters.
Windows' default complexity requirements are a typical example of this kind of thinking. It should be calculated based on some kind of strength score, not on 1980s style character sets which actually reduce the scope of available passwords (e.g. if the first letter has to be a letter, you now know that it is one of 52 characters).
Great, now how do I use that password to log onto a mobile site from my phone? None of those characters are on my phone keyboard. Am I supposed to save them in a text file? That doesn't seem very secure.
The current largest danger, when it comes to passwords, is offline attacks on compromised databases, your computer, etc. Online attacks are much less of a problem because the server can (and hopefully does) throttle the number of times you can try - if you're limited to 100 tries, then it's pretty easy to create a password that won't be in the first 100 things a hacker will guess.
For offline attacks, if the password is stored using something relatively insecure like SHA256 (which is not compromised, it's just too fast), it's very inexpensive to make billions of guesses per second against a hash like that. They'll go through a list of the top 10 million most common passwords, then start iterating through lists of combinations of common dictionary words. Most password cracking software is very smart and will try all kinds of substitutions.
Assume that "Forgive" and "her" are in a dictionary of the 2000 most common words. Trying all 2-word combinations would be 2000^2 = 4 million guesses. They try with and without a special character (including a space) between them - assuming say 15 different characters, that's 60 million guesses. Try it with the first letter capitalized and uncapitalized, then also try each word alternately in all-caps (multiply by 5) 300 million guesses. Let's assume that each word, using common "1337" substitutions, has an average of 10 alternate forms - that's 3 billion guesses to cover the entire space of the 2000 most common words with all kinds of variations. On average your password will be about halfway through the list, so say 1.5 billion guesses to get there. If you used a $50 GPU, this would take maybe 10-20 seconds to complete. If you used ASICs designed for mining bitcoin, it would take much, much less than a second.
Of course, the attackers might try other strategies. If they used a pure brute force, they'd never get to Forgive@her, but password cracking has gotten a lot smarter than that. You're basically taking a risk that this strategy (which is actually a subset of a more commonly used strategy) is not known by the hackers, because if it is, you'll be cracked very, very quickly.
Best practice in password strategies is to assume that the hacker knows your exact strategy and calculate the entropy of the password. The best "bang for your buck" is fully random, random-case passwords with all special characters possible. Assuming a 96 character set, a 12-character password like that has about 10^23 combinations, so even making 100 trillion guesses per second would take 200 years. If you want to use words, effectively case insensitive, you'll probably need more characters (but fewer words) - a password of equivalent security drawn from a pool of 10,000 words would be 6 words long. You can obviously use a mix of strategies to get the balance you'd prefer.
Sure it does. A lot of people re-use passwords with different services, so if one gets compromised, then criminals have that password.
On top of it, people get compromised all the time. Its trivial for a virus to nab your saved browser passwords. Or someone sends you a phishing link and you happily type in your credentials. It looked official, right?
All of this is invisible to the end user, typically. From the IT side of things these credentials are used for all sorts of things like authenticating with smtp to use our mail server to send spam, log into ftp sites to host malware, etc, etc. Then the end user angrily walks up to IT saying, "Everyone is saying my emails are spam. Why do you guys suck so much??!!"
Forcing password rotation helps with this because there's a chance the password that got leaked is or will soon be retired. It also helps in scenarios when employees give their passwords out to other employees and then one of them gets fired and starts fucking with the system using someone else's credentials.
In short, a lot of these polities exist because people are stupid. Don't blame those of us trying to mitigate the damage. That said, you don't need a 30 day expiration. I find 120-180 days works well enough. You don't need complexity turned on as much as you need a sane minimum length. I'd rather train people to use "mydogsnameisAlbert" than "Password1"
If you rotate passwords every month, your users will be annoyed and use password that are either trivial, will write it down passwords, or have a trivial variation from month to month.
In other words, they will resort to using less-secure passwords. The notion that rotating passwords improves security is little more than a cargo-cult.
Keeping a password written down (in your wallet, in your desk, etc) is probably safer than you'd think, because people generally know how to secure physical items, but they're much less certain about how to secure digital information.
I think it's obvious that expiring passwords increases security to some degree. It's also clear that user reactions will induce people to reduce the security of those passwords. The password expiry interval you choose (potentially as long as the duration of the system's existence) depends on your threat model, really. Security is hard and often application-specific.
I disagree. I am always hearing about how this or that service got compromised and stored passwords in plaintext or something, and now all those passwords are in the wild. I write really hard to crack passwords (funny little poems I made up myself) and I still could get screwed because my bank stored it in an unsafe way, and now some russian dude knows my password is "I am so þirsty,5/but þe walls are unbroken.7/Where is Cool-Aid Man?5"
Thus, I find myself writing new poems all the time. Which is actually great because they are fun to make and easy to remember. But yeah if I still used that one (something I wrote in 2008) I'd be screwed. There's no way that's safe now.
What really drives me insane are services that limit the number of characters you can have for your password. Holy criminy that's dumb.
No, but people often use the same password for different services. Changing passwords regularly can cut off attacker access in the event of an undetected compromise.
Well, those people would probably simple cycle through their passwords, or append an increasing counter. So regular changes do not protect the security, but annoys people that are using generated passwords that are completely unique for each and every service.
Increasing the counter at the end is obviously weak when you find that "password46" is not working anymore so you try "...47".
However if someone steals a whole password database with a million passwords, chances are they just automate the login attempts and subsequent nefarious actions. They might not try to figure out anyone's naive password scheme if they get thousands of successful logins the easy way!?
I'm saying this because I've heard your reasoning before, and of course I've been staring at the keyboard when trying to change one of my passwords, wondering just how clever I need to be right there.
30 days is a little aggressive but I do think a quarterly or ever 6 months is valid. Not all users behave appropriately with their passwords, allowing other people to use them, re-using them between systems or putting them on post-it notes under their keyboards. The rotation of the credential is simply a cheap but heavy handed way of dealing with those compromises to ensure the system returns over time to a default state of security and cuts out invalid access. Granted a better way to manage this is create good audit trails of how often, during what times and from where and what devices those credentials are used, but like I said it's a simple/cheap way of adding that layer of security.
As far as I am concerned if I want to make my password jumping I should be able too, forcing someone to make a password they will never remember leads to several issues.
1. A password cracker knows exactly what to ignore which such requirements (obviously his 4 letter word dictionary is useless in this case).
2. People have trouble remembering them, so they typically write them down somewhere (a even bigger issue).
You have to stagger them in your environment. If you don't, you get flooded with password change/reset requests the first few days after a change has been forced.
This hit very close to home. My (former) best friend and business partner stole a ton of money from me and our business, and I'm about to declare personal bankruptcy, right after my kid was born.
My password is some variation of how much of an asshole he is. But it's not helping. In fact, it's causing me to constantly dwell on it, painfully re-living our conversations, and thinking what I could've done differently to prevent it from happening.
Logically I understand that I need to forgive him and let it go, but I'm not able to do it. I'm going to change my password to an affirmation that I forgive him. I think it will be a good start.
That sucks, I was once in a situation where I held a grudge against a person for a very long time, to the point where I thought about them and what they did almost every waking moment. It made it really hard to move on with my life. What did it for me was forgiving the person in my own mind, truly forgiving them. It didn't happen overnight but it made all the difference in the world. Later on I bumped into learntoforgive.com and found that their methodology was exactly what I intuitively did to forgive in my case, I took notes on their process, hopefully they'll help you: https://docs.google.com/document/d/13w3d4a-e460yQV2y48iUVmBy...
Indeed. That site doesn't even pretend to be secure!
There are versions of that site which do everything in Javascript so your password is never sent to the server. That is also insecure but at least they pretend that it is not.
This site is designed to post your password up to the server and even works on HTTP (as opposed to enforcing HTTPS only). So you've just shared your password, IP address, and browser information with a completely anonymous site!
PS - I think this site is DESIGNED to be Javascript only but the implementation is bad, so the password is in fact sent to their server (which generates an "Internal server error" by the way).
I find this quite weird. OK, my password are meaningless sequences of random characters, so maybe it makes things different; but I don't remember passwords as strings, I remember them as gestures. For most passwords I would have to imagine myself typing them to reconstitute their written or spoken form (which can sometimes be tricky if you have to enter them on an unfamiliar device or using an unfamiliar layout).
So I'm confused why after a few days you would still remember what the password means when you type it in.
I have used this technique to help me memorize company goals and also to connect codenames with their version numbers. I hated when someone would mention "Julio" and I'd have to ask "uh that's version 4.2 right?", or vice versa. "Julio4.2" is a decent start to a password if you add another word or two to it.
You just have to figure out his most important personal goal that shows up on social media around the last week of the month, when AD starts warning him to change his password
I'm with a password "Quit smoking" for a second week now and nothing happens ( it's my screen saver password - just sayin' :D ). I enter it for 5-6 times a day. What's next?
(Sure, I'm a security guy, and part of me agrees with some of the other comments. Sure, I'm a tech geek, and I've seen and read about some wicked cool hardhacks, unexpected softhacks, and their ilk, and even some good life hacks. But this is awesome. An arguably silly security policy sought to control a small aspect of his work-life and he gamed the spit out of it to take total control of his life, change things up, get stuff done. Best hack ever.)