Ya, I have learned to document a shorthand notation of the question and my answer that I can fall back to if I need to answer the questions… (it works – if I remember to record them)
My problem with those questions is that I am not interested in being a person, or having personal problems! So it seems like merely an underhanded way to harvest information by people who don’t need it.
No - I have no personal nor favorite anything, and my doing so should not be a prerequisite to using anybody’s service.
Besides, it seems like they are needlessly introducing whole new areas of insecurity.
It really doesn’t help when places have questions like “what is your favorite book” or “what is your favorite musical group”. As though these are things that aren’t going to have changed at all between now and the next time I need to answer these stupid questions!
hah! who’s stupid for using 1234 now!
Absolutely not. First, humans minds are terrible at picking anything at random. So a “random” pop song from the top of your head is not a good base for a password, no matter what ad-hoc algorithm you put it through.
Second, slightly modifying passwords for reuse is bad, too - assuming you are, so to speak, under attack (which sounds terribly paranoid, but otherwise we wouldn’t need to discuss password strength) - and somebody gets hold of your example password. Now the strength of all your other passwords has fallen to the strength of “-9”.
Selecting a good password needs a true source of randomness like dice rolls or coin tosses to choose a sufficient number of items from a uniformly distributed source like an alphabet table or a dictionary.
I pointed out that I can create an algorithm and so can you. Pinpointing specific (and entirely unproven, by the way) weaknesses that you’ve seen in my algorithm is ignoring my point.
My servers have been under continuous attack for decades. Nobody has managed to crack one yet (although I’m going to assume that they will now, because I said that). Empirically, it seems that the level of randomness and uniqueness I recommend is sufficient.
I will provide you a hash if you would like to try to crack it.
EDIT long after because I forgot this topic: $1$3dmbx94m$U1.CAG.OfNQX1Za4hELmh/ was created with the method I described above. Literally that method, so if humans really are bad at randomness this should be crackable instantly. I’ve even provided the encryption algorithm and the salt…
Bring it on. It may take a while, though.
The second part of what I said is quite apparent, If you don’t see that I’m sorry but I can’t think of how to make it more clear.
For the first part, I may be guilty of some hyperbole. Of course your example is still very hard to guess with a brute force or dictionary attack due to its length. It is probably better than what most people use. I have some passwords that are considerably weaker than that. But I wouldn’t use it for anything critical, because it’s weaker than its length might suggest due to its letters being chosen from a natural text and following letter distribution rules. Using a very popular text as a basis, there’s even a slim chance it might have been used before and appears in some word list, especially considering certain people that have very large budgets to create such things.
Pundits and people trying to sell you things will tell you that
passwords are hard. They will also tell you that people are shunning
you due to your ring-around-the-collar and that sharia law is a clear
and present threat to your household. Don’t fall for it!
I’m not selling anything, and passwords don’t need to be hard, but ignoring the underlying mathematics can still bite you, and it doesn’t help lumping that simple fact in with unrelated superstitions. If you want to make good use of your password length (and you want that or it will be a pain to input, or to remember) there is no substitute for a random source.
MargaretThatcherIs110%sexy
You’re an unfathomably advanced AI from the future, aren’t you? I wasn’t going to say anything, but the signs have been piling up too high to ignore for a while now.
It’s ok, you can tell us.
I don’t think there is anything unfathomably advanced about not bothering with favorites, likes, and wants. But people seem to make a big fuss about it. This probably helps them to feel better about however they choose to live.
For most websites, I use Passwordmaker, a password generating browser add-on that takes a master password and the domain name of the site (and more, if you want, like your username), then uses a hashing algorithm to generate a password made of a set of characters you can also pick or edit. So I only need to memorize one strong password, to have different passwords on almost every site.
Why “almost” you might ask? Well, it’s because many websites use ridiculously restrictive rules for passwords, that my default settings don’t fit with. And there’s a long time bug in Passwordmaker that prevents you from creating alternate settings, which is too bad because in theory it’s supposed to be able to select the settings based on the URL.
I commit my secure passwords directly to motor memory, thus absolving me of having to recall its individual (and often random) characters. In practice, this has proven to be both the best and worst idea I’ve probably ever implemented.
I used to use random character passwords all the time, but because of the difficulty in memorizing them, I tended to change them very rarely. Then I worked in the bitcoin industry for a few years and we were getting attacked constantly (literally that is, not just “a lot”, but at all times). Switching to this method saved my bacon.
This is the method I’ve stuck with for quite some time now. It’s handy since my workplace had a draconian password policy and its the only way I can remember my damn password.
Now if only more sites would adopt some form of two factor authentication…
This topic was automatically closed after 5 days. New replies are no longer allowed.