Pick a good password, then never change it

And worse- to get around that problem they are starting to ask security questions with nondeterministic answers. Like “What is your favorite movie” or “Who was your first crush”. I can never remember what I put in for those vague questions five years ago when I signed up for this dumb service I never use but need one more time.

I do appreciate the reminder. It’s something I “know” but rarely think of. It’s a weak spot.

The thing with that, is if/when they present you with a multiple choice, one of which is your (visibly oddball) answer.

"What’s you favorite animal? A. Duck B. Owl C. Tardigrade D. SkRZzLp@123

That’s true, but unless SCF stores your password in the clear, the attacker still doesn’t have your BOA password (assuming it can resist a dictionary attack).

Unique passwords are better, of course (there are some sites that do store plaintext passwords, for a start), but I’m starting from the assumption that people do reuse passwords, because they definitely do. And if they are doing that, then password policies just create additional problems, and in some ways encourage the reused password to be less good.

“Security questions” get answered by random strings by my password manager. Then I store the question and “answer” in the notes section of the account entry in the password manager.

I had a hunch you were referring to something on the tubes, but I had no idea what. That strip does illustrate the problem with security questions. If they are too general there are many possible answers.

My method is to use a word unrelated to anything personal (no one says you have to tell the truth) with a prefix, usually three characters, suggested by the question.

@VeronicaConnor, I have seen individual Penny Arcade strips before, but I didn’t know anything about the transphobism of the authors. Thanks for spreading the word. I’ll be careful not to link to them in future.

For a password, I’ll string together two or three words all in different languages I know, such as Japanese, Kazakh, Spanish, plus a couple numbers and a symbol if allowed. It makes remembering it from a password manager easier, and I figure dictionary attacks won’t be very useful if the password is composed of multiple languages.

This is the point though. Your advice is vastly overestimating how good the password storage and encryption systems are on every two-bit piece of website software out there. Most of them are garbage and require no effort at all to crack without elaborate attacks. Furthermore dictionary attacks are far far more effective than you seem to be giving them credit for. The category of attacks lumped into “dictionary” is vastly more sophisticated than that. I have seen 15 character random strings get cracked in seconds with script kiddie stuff. If people only take one piece of advice (which is what we’re debating here) I argue it should be to use different passwords everywhere.

Of course the best overall approach is a password manager that generates long very high entropy strings, and multi factor authentication (preferably using an app, not your cellphone number). But again if we had to pick one thing for people to do, different passwords everywhere is my vote hands down.

ETA: To make this point a little further, an example. I have seen a mobile game login system that stores passwords by XORing them with 42 (because hurr hurr Hitchhiker’s Guide). I would never recommend anyone hang their security on the competence of a world full of overworked underpaid software engineers working on projects they hate. One password in multiple places does exactly that, no matter how good the password.

But poor password handling by small websites is incredibly common. In fact the administrators of such sites are often open about not considering their site to be high value so they aren’t going to put in a lot of effort to make sure everything is set up correctly and will warm you not to reuse passwords. Also if they are quietly breached the attackers can add request logging that captures your password from the login form. Furthermore even security minded people often underestimate how good password crackers have gotten and what it takes to be resistant to offline attack.

It’s far better to just assume that any site that gets hacked your password is leaked.

The obvious solution is a constant media campaign hyping the desireability of number theorists as partners.

It’ll take a while to see the results; but once asymmetric key operations become part of humanity’s natural-language capabilities just think of how easy authentication will be!

Oof, I hadn’t seen that failure mode either. Because, why would someone reduce the entropy of the answer that much? The answer, obviously, is that most people don’t understand security.

I used to like their online D&D games from PAX but dropped them cold when they showed what assholes they really are.

Saw this on tumblr yesterday:

1081×945 182 KB

*Computer security needs a better solution than typing on a keyboard

Water.

(Did we read the same children’s book?)

This is the whole problem with financial institutions, which need to be MORE security conscious than the average website, but instead seem to only use the worst options, such as this one.

Nice tip, I like that. I might start doing that.

Unfortunately, there are (and there will always be) leaks that that are not publicly known

Ok, after having posted that, I suspect that I’m confusing it with the context in which I have seen it, i.e. when they’re confirming a known previous address and at least one is visibly bogus (even the block numbers north of Seattle/Everett don’t go that high) – see above. I can’t clearly remember if (1) it made me think they could do the same with user-generated security questions and/or answers, or (2) I actually encountered this. While I remember seeing (2), I can’t recall any further specifics.

Sorry… either way “let’s be careful out there”

Another strategy I recall is to reuse the password but append this with (for example) the name of the particular website. I’ve stopped doing this, myself. It seemed like good advice but it was probably 2006 or '07 when I read that.

ETA for more(?) clarity

I do see your point; if you use the same strong password on ten sites, then compromising one site could still compromise them all, whereas with ten truly different weak passwords, you only risk one at a time.

But my experience is that even when you tell them not to, most people do use just one password, with trivial variations, and even if you could make them pick different passwords everywhere, it’d just be “Tofu1”, “Tofu2” etc. — i.e. both weak and similar enough to compromise related accounts.

I can imagine getting most people to learn a strong password (and hopefully special ones for at least banking and Apple ID), giving at least a chance that a compromise on one site won’t expose them everywhere. (Though I did assume `openssl rand -base64 15` would take north of a trillion trillion hashes per second to crack on a practical timescale, and it would make a difference if that’s a naïve assumption)

Anyway, my beef with password validation is it doesn’t achieve either of these – it can’t enforce uniqueness (or even strength, in 2022), and it isn’t consistent enough that you can use the same strong password everywhere.

Have we not realized yet that passwords basically don’t matter?
It’s the massive leaks that do all the damage. Your password could be H(k3(H@)dn21* or it could be “password1234” and your odds of getting hacked are virtually the same.