A few years ago Steve Gibson talked about "The end of clever" on his podcast. Essentially that we've (now quite awhile ago) passed the point where a clever password was sufficient to protect you.
All the database leaks have shown that many people aren't nearly as clever as they think they are. I'm not sure if Passkeys are going to prove out as a good solution, so for the moment I am inclined to say your best bet is a good password manager and long, random passwords.
Clever is fine, if long enough, but it doesn't scale.
The problem is not that i need a clever password, it's that I need 100 of them. Given that problem I either reuse my clever one everywhere, or have a formula based on it, and the domain.
In this age of scale, a password manager generating long random passwords is not "good to do", it's absolutely a requirement.
Now all you need is one long, clever, resilient password to access the password manager.
Of course, but that still requires the attacker to specifically target me. Attacking some random service I have an account with and getting everyone's account info isn't enough.
Any computer can get infected with a password stealer. As long as the password manager isn't significantly increasing the risk, then there's no problem.
I've seen platforms that don't rate limit 2fa guesses. A six digit OTP has only a million possible values. Guessing once per second it only takes a couple days to guess.
This is also why a platform should never confirm that a password is correct when 2FA is enabled, only confirm if both have been solved.
Think about a time-based one-time passcode (OTP). Every 30 seconds you get a fresh code and the attacker tries to guess that code. There's usually a validity window of one or more OTP, so the attacker needs to guess one of several possible currently valid OTP.
This is a popular trick in CTF exercises and it's pretty quick if you can make 1000 guesses per second. Takes a couple minutes until you're in.
And even if you use a clever password you might be giving it to someone who has never heard of password hashing/salting etc (but I'm sure they "care about your privacy")
Hence why I prefer "not great/not bad" passwords to sites that wouldn't have a significant impact on my privacy
I don’t know about that. Clever still works for me I think, it’s just a matter of password length. One trick I still use today is to take the first letter of every word in a sequence I knew, and still substitute numbers and capitals. There are a lot of poems, and soliloquies in Shakespeare’s works, and opening lines of a book, etc. etc. Basically anything where you only need to remember something you already know, and where the “hint” can be something like “J12” for the first two lines of Jabberwocky.
A decade or so ago, because I had to learn it for a school recital and know the poem backwards, I used Jabberwocky: Tbatstdgag1tw! - according to security.org’s password-strength-checker [1] that will take a computer 200,000,000 years to crack, presumably on average. I use a longer one today, and I skip words too, and some words I use 2 letters from - a similar string of characters to my current password is estimated at a trillion years.
At one point, I was using the first 2 lines of “Sea Fever” by Masefield, but that got too long to type - ImgdttsattlsatsaaIaiatsatstshb … If you’re interested, that’s 2 septillion years. I don’t need to be that secure :)
> according to security.org’s password-strength-checker [1] that will take a computer 200,000,000 years to crack
These types of things are very misleading. It is rare for a password to be bruteforced in general, it is unusual for the attacker to have the hashes of the actual site for an offline attack. Hopefully if the dev is competent there is rate limiting for an online attack. If the dev is competent they are hashing with argon2, pbkdf2, bcrypt etc tgat slows things down.
Anyways - 95% of password based attacks are using the same password in multiple places with one of the other sites getting hacked (someone's probably going to point out exceptions, and they do exist). Unless your password is absolutely terrible, the threat is not lack of password complexity but lack of password uniqueness.
Just to put it in perspective - 2FA is usually a six digit number, and that is considered secure since there are rate limits, and the user cannot reuse the key on multiple site. The security.org site says that can be cracked in 25 microseconds. There is obviously more to it then that since 2FA codes last more than 25 microseconds.
I should have clarified that I’m talking about my login and iCloud passwords here. For websites, I always use hide-my-email (hey, I wrote the client-side code for it) and a safari-suggested unique password for exactly the reason you mention.
I do share those two (different) passwords around the machines I own, (ie: all login passwords are the same, and the iCloud password is shared of course) but I don’t see that as extending my risk at all. All of those machines are under my control for the login, and I know how well Apple secure the iCloud one.
Similarly, I use lyrics of songs I know well enough to be able to sing the words correctly, but are obscure enough that most people won't know them. Jut use the first letter of each word, and if you forget, you can hum along with it while typing.
As an example, the chorus of the classic CCR song 'Have you ever seen the rain' (don't use this one) will give you a easy to remember 15 char password: Iwkhyestrcdoasd. And if you forget its easy to make a simple hint (something like 'Fogerty').
My advice, don't use the chorus - a 2nd or third verse you remember is better (and often longer). And google the lyrics before you make the password, just to check that you've been singing the right words all these years.
> I used Jabberwocky: Tbatstdgag1tw! - according to security.org’s password-strength-checker [1] that will take a computer 200,000,000 years to crack, presumably on average
Or much less time because it's already been leaked three times according to haveibeenpwned.com, so it'll already be in a bunch of rainbow tables.
This is why clever isn't enough: not because you can't design one that's resilient to brute force attacks but because password reuse is the #1 threat to the password-oriented security model and you can't come up with hundreds of sufficiently strong clever passwords.
I think you missed the “10 years ago” bit. And you replied after I posted above that these are login passwords, used only on machines I own. I use unique passwords and hide-my-email on systems I don’t control, for exactly that reason.
A better way to tell if your password is secure is to
download a gpu dictionary password cracker, and add in a couple of the big leaked password dictionaries, get at least the big ones so you have a few billion passwords and run it for a few hours. It will crack millions of clever passwords like just like that, and the only result is making someone like me wonder how can 7 people come up with the exact same seemingly unintelligible string that long.
What a strange blog. The link to a Wikipedia page that no longer exists, the assumption that people would use "Speak Friend" as a password (when the movie password is just "friend"), the counting of "My Precious Cat" as a LOTR reference. Fun experiment but some odd conclusions.
I'm with you. The fact that Joshua is not the number one on this list really speaks to my age.
In my youth, Joshua was a password I used a lot, and only dropped it because I felt it was, like, too obvious.
Another one I used, especially when numbers became mandatory was Turk182. But that reference is from a seriously obscure mid 80s movie (of the same name.) I'm guessing precisely nobody here has heard of it :)
I was once tasked with reverse engineering a competitor's product, figured it might take a while but within minutes of running strings on one of the binaries it became clear one of the engineers must have been a major Game of Thrones fan. Talk about making your encryption passwords jump out :eek:
Random strings, folks, much safer to stick with random strings...
Heh.
I wonder if it is still tradition in universities to assign quirky network names to their machines? Would anyone even notice these days, as these names are way less prominently displayed these days?
They greybeards who came before me used names from the lore of LotR. I used house names from A Song of Ice and Fire (better known as the early 2000s tv series Game of Thrones, though the first book was released in the 90s). The youngsters after me used Pokémon names.
This has me wondering. When I was in school about 2 decades ago they were using names of Greek or Roman gods for servers. Part of me wonders if many campuses even have many servers worth naming now, since all the services I used at that time have now been outsourced to Google or Microsoft long ago. I’m guessing there must still be a few servers in a rack even in a cloud-centric school, but the days of connecting to like “hermes.university.edu” to get email/FTP/web hosting must be gone basically everywhere by now.
Mid-80s, the Stanford TOPS-20 campus timesharing system had machines named Hamlet, Othello, Lear, and Macbeth which users called The Tragedies. The system administrators did NOT like that.
Names from Tolkien, movies, and tv got popular as workstations got deployed. Initially we thought the management had unclenched but learned that end users picked the names as these were machines deployed by individual research groups.
TV, not film, but I have in fact used Data’s complete command lockout sequence from the “Brothers” episode of Star Trek: The Next Generation. Something like 60 characters, including the NATO alphabet.
A question that interests me more is: has anyone used the transliteration of the Elvish “Speak friend and enter” (1) as a password? That is, “pedo mellon a minno”.
I actually wrote out that line in my journal with a calligraphy pen, copying the Elvish characters - one of my favorite fictional alphabets to this day.
There was some movie I watched as a kid where the password was "remember" but, ironically, I can't remember it now. At the time I thought it was clever, nothing I had to log in to actually matter, but a few years later I decided to change it.
All the database leaks have shown that many people aren't nearly as clever as they think they are. I'm not sure if Passkeys are going to prove out as a good solution, so for the moment I am inclined to say your best bet is a good password manager and long, random passwords.