Pretty neat for the older generation, until you run into one of these sites that persist that they know how to properly do password security and require you to have at least 1 number, at least a 'special character' (of which the definition is often very vaguely described) it should contain of at least 8 characters and also be no longer than 12.
You will soon come to the conclusion that it is still easier to teach people to use a password manager for this because these schemes are nice but only get you this far before you have to revert to remember that single password again.
I don't understand how that wouldn't work within the system described in the blog post. Couldn't you just write down `anger lunar @1` and follow your personal secret munging rule, so it becomes `ngeraunarl@1` (or whatever)?
The problem is that if you stumble upon three of these different requirement sites that break with your Two Step Authentication process as described in the article, you're going to forget about this rule.
I don't see why you couldn't modify the concept to always include numbers and spacial characters.
For example; your "password" could be a combination of words, numbers, and characters while the "thing you know" is something like capitalizing the even or odd first character corresponding with the even or odd number corresponding to the first letter of the site or company, and combine that with the even or odd sequenced number and character in their sequential location in the password or at the end or beginning of the entered password.
I'm sure I could describe that more clearly if I tried.
Then you run into the problem of idiotic sites not allowing special characters, or numbers, or even uppercase (I am looking at you, rvtrader.com...)
The second main reason passwords suck (after the fact users trend to choose weak passwords) is that developers implement all sort of contradicting password rules.
No, because standard UX only gives you the arbitrary rules at creation time vs login time, so when logging in you don't know which rules you had to comply with.
Can't wait till we check min entropy and otherwise don't care.
Between now allowing very long passwords, the free 2 factor token (hardware symantec vip, not SMS based), and being able to lock your accounts with a voice password/passphrase that you must give the rep to discuss your account on the phone (so then just SSN/mothers maiden name/birthdate isn't enough), I think they've pulled quite far ahead lately. It's better than any of the other banks I've used.
[Note: voice password is not their voice fingerprint sillyness their reps will think you are asking about at first]
That is valid question to ask authors of systems that do not allow passwords longer than 12 characters (or 8, which is another popular upper limit, which can have some vaguely meaningful technical reason for legacy systems).
My old bank required an exactly 5 character password.
They had two factor authentication though, with a phone call or SMS. What happened if you forgot your password? Well you had to reset it, using only phone call/SMS, of course!
Banks are more willing to eat the fraud costs involved with real-world compromised PIN codes than to deal with the customer support for forgetful users.
Our HR management system at work, that manages all payslips and tax returns only allows passwords between 8 and 9 characters, they have to start with a letter, they have to contain one of the following "@", "_", "-", "$", but no other special characters are allowed. It has to contain one number.
It's the most bizzare password requirement I have ever seen and I am pretty sure it's not secure. Have I mentioned it only works in IE and uses ActiveX controls?
This is usually the case but there are frequently short length restrictions even when it's hashed. Sometimes only on the client side too, so you can just remove the attribute from the input.
because a lot of companies have no technical expertise at all.
american express use to enforce insane limits on passwords back in 2010[0]. 6-8 characters for passwords, no special character and had to have 1 letter, 1 number and it wasn't case sensitive. unfortunately _I_ had an amex card.
that page i linked to also has a reply from amex support who shows little knowledge about the difference between passwords and website encryption.
they eventually started expanding that limit from 6-8 characters to 8-20 characters around 2012? 2013?
You could use a hash-based password generator and write the input seed, plus the constraints for the password. Or keep the password verbatim, it's not like the site is really secure anyway.
The first thing I tell people to do is secure their email with a good password and two factor authentication because if that gets hacked most other stuff can be hacked via password resets.
Your email address is your identity online - everything but everything assumes this. I have strong passwords and 2FA on my main account. If it was hacked, an attacker could (for example), reset my password for my national security vetting portal account. On there is available to anyone who has my login (no 2FA for this, obviously), forms which detail everything about me, my partner, my parents. My total, actual identity. I am compelled to use this service for the work that I do.
I hope neither it nor my email has any security breaches.
Does it at least have a cool down period? Like if you try your username n times in the last hour, you get locked out and can't try any more for m hours?
Well, as it only supports TLS 1.0 and SSL 3 (C grade on SSL labs), plus looks like it's running an old version of Web Forms, I think you're probably fine. :/
On a similar note, gnu-pw-mgr uses a memorized transformation on a URL to generate passwords on-the-fly deterministically, so no password are ever actually stored:
1. I would 100% forget which symbol goes with which site.
2. The length I choose for my password may be too long/short for a given site.
3. Some sites require special symbols; some sites forbid them. Now I have to pick out my symbol based on the site's requirements, not ease of memorization.
One solution to the site restrictions regarding symbols would be that you generate a non-symbol password, and a symbol substring. You add the symbol substring when you know that the site requires symbols (or if the non-symbol password fails).
I use passwordcard too and when I get a site that clashes with my algorithm, I give them one of 4-5 passwords that I used to reuse everywhere before I implemented the scheme. I have a 6-symbol password, a 10-symbol password with special characters, sure they've also been used on a dozen other sites but if their super special requirements make me extra secure who am I to blame them, I'll use my super special passwords that fit :^)
I could use a password manager but I don't want to be dependent on one piece of software, there's too many failure modes. It's already bad enough that all my accounts share a limited set of email addresses.
The main issue I have with schemes like this is that there's no repository of global identifiers for websites and services. I can build a password for blizzard.com, starting from say "bl", then I forget about it and five years later their website is now activision.com, and I wonder why I can't log in with a password built from "ac". It's a minor issue since password resets are a thing and rebrands are rare but still..
Generate a 36x36 matrix of random (password suitable) characters indexed along ordinate and abscissa with a-z0-9. Two things to remember: a two character key to a password (e.g. 'am' for amazon, 'w3' for a third work related password) and a scheme for tracing a path through this tabula recta[1] following after the first character indexed by the key (e.g. spiral to the left until 12 characters are accumulated). Make two copies of the same matrix, put one in your wallet and the backup in your safe deposit box [2].
leaked password: choose a new/different two char index or path scheme.
alphanumeric only (some would say avoid such sites [shrug]): just continue along the path skipping over the non-alphanumerics until you've got the length you want.
The amount of possible alterations (practical alteration that people actually come up with) of a diceware passphrase is, I think, much lower than the possible values of a 6 figure number (which is what most two factor applications use). If you think hard, you'll come up with maybe 100 possible alterations. I wouldn't trust this scheme as my password manager. I use 1password, which feels a lot safer to me.
Ironically, you're frequently safer with a written down password than you are a password that is stored on your computer.
For example, to get your password book, the attacker must have physical access to you. This immediately lowers the attack surface. Your passwords can't be sniffed out of your clipboard. Your passwords can't be brute-forced by someone who compromises by one of your accounts (even the account which stores the encrypted password vault). You can burn your password book to ensure secure deletion.
Yeah, a password manager is still probably better; even the OP acknowledges that. OTOH, how secure is your password to access that manager? How frequently do you rotate it? What happens when that password is compromised?
So now an attacker needs access to both the hacked DB, and your physical book.
I think that that format acceptably blocks the two most dangerous groups for a persons privacy: tech savvy remote hackers, and tech inept local snoopers.
Remote hackers are tech savvy, but probably don't have physical access to your house and don't care enough about a single user to get it.
Local snoopers are probably not tech savvy, and therefore probably won't have access or know how to find a hacked database.
If there really is a tech savvy local snooper, they will know they can just install a keylogger onto the computer that they almost certainly also have physical access to.
Well, they'd also need the codebook where you store the passphrase to get the other half of the password.
So if you change the master password regularly, they'd need to hack a database in that time window and steal your codebook. I highly doubt anyone would put that level of effort in.
I kind of expect that if a determined hacker targets you (or me) specifically, we will get pwnt. The tradeoff is in how determined the hacker is and what the payoff is.
Slightly off topic, but I wanted to use a password manager and installed Lastpass Premium. Great, except for the fact that it won't update passwords and often times fills in the wrong password despite my verifying that it actually stores the right one. It's completely unreliable. Thankfully, I haven't started resetting all my passwords, but that also makes the password manager useless. After paying for that, I wonder if there is a password manager that actually works and is reliable. I've read great things about many packages, but in almost every case, I've also read great things about Lastpass which is atrocious and was definitely not worth even $12 / year. Needless to say, I don't trust any of those reviews.
Here is a fairly simple alternative to this or using a password manager:
1. Remember a high-entropy “base” password that is likely to pass complexity and length requirements
2. Invent a weird way to incorporate the name or domain name of the product you’re using into this password to make it unique (e.g. “put the second letter of the domain name as the third-last character of your password”)
Advantages: Memorable but unique password for all or most services, no need for physical books that can be stolen, works on any machine. If one of your passwords is discovered, it's basically useless beyond that service unless the attacker knows your step 2.
Disadvantages: do I have an account on this site? What email address did I use to sign up? What is my username (Many have user name requirements)? My password is too long. My password is too short. My password has the wrong characters. My password does have enough numbers. My password doesn't have enough special characters. My password has too many numbers. My password had too many special characters. Now you are remembering tons of special cases. If you are specifically targeted they can compare your password in two hacked databases and find out your scheme.
do I have an account on this site? What email address did I use to sign up?
Fair point but often there are not too many possibilities.
What is my username
Your email address, in most cases.
My password is too long. My password is too short. My password has the wrong characters. My password does have enough numbers. My password doesn't have enough special characters. My password has too many numbers. My password had too many special characters.
Occasionally a problem, but I have been using this method for years and have maybe two or three passwords that I have to manually remember for reasons like this.
If you are specifically targeted they can compare your password in two hacked databases and find out your scheme.
True, but then one can similarly come up with scenarios for most other schemes.
I agree it's not perfect and won't cover every case, but it has worked well for me.
I have accounts with, like, a bazillion different financial institutions. They all require user names that have length requirements and special character/number requirements. I would forget all my user names if it weren't for password managers.
If you have one bank, no 401k, no IRA, no credit cards, two social media accounts, one email address, and do all your online shopping on Amazon, and not much else this sort of disadvantage won't pop up but once you get into multiple accounts on multiple sites it does not scale.
If you have many password schemes you'd also have to remember the password rules for every single site.
What would be nice would be if all sites supported this system:
1) go to site
2) enter email address (cached by the browser)
3) go to email account
4) click on long, unguessable link which is only valid for 2 minutes)
er..that's it.
You could even skip the `enter email address` step and just get users to keep a link provided in the initial signup process. This link could either be the one you always use to log in, or for better security could prompt the remote site into sending you another single-use login link (as above).
Well most sites do support the feature. It's called password reset and I use it heavily in fact.
I use keepass, but sometimes for services that I use once per year, I just go via password reset and change password to a long random gibberish and do not even bother to write it down to keepass.
My problem with password managers is that: a) I have more than one computer, b) I lose physical objects routinely, and my computers tend to break down and be replaced.
But I have a good memory and I trust it much more than my ability to keep things organized and make routine backups. It's easy for me to generate more or less secure passwords that I can memorize, like:
Those will last for a few more years, until password crackers will become so fast that it will be impossible to remember any kind of secure password anymore.
> My problem with password managers is that: a) I have more than one computer, b) I lose physical objects routinely, and my computers tend to break down and be replaced.
Dropbox with KeepPass on Windows / KeePassX on Mac / MiniKeepPass on iOS works beautifully for me.
And KeePassX on Linux / KeePassDroid on Android. It's simple and works.
The biggest issue is that the passwords are usually copied via the clipboard, so any program accessing the clipboard could copy your passwords. It's of course up to your own assessment whether this is a problem worth consideration or not.
Consider using Keepass2Android rather than KeePassDroid. Instead of using the clipboard to transfer passwords, it provides an input method (a soft keyboard) that will type your passwords to your applications.
I've tried this (or similar, own implementation), but got stock on weird requirements that some services imposed. In about 50% of cases, I had to modify generated password anyway (usually make it shorter). So instead of remembering password, I had to remember what restriction which service had.
> But I have a good memory and I trust it much more
Note that "a good memory" doesn't "scale" or remain constant over time. Plus more importantly you are assuming that something minor or major won't happen to you where for some reason you aren't able to remember things very clearly like you thought you would be able to.
”Those will last for a few more years, until password crackers will become so fast that it will be impossible to remember any kind of secure password anymore.”
I use passwordstore.org's pass... which just syncs all the passwords via git (and they are encrypted with gpg). So I have redundancy/backup/versioning and the rest is just seperate (gpg'd) textfiles.
Have we proven that password managers are safe? It's worth for black hats to spend as much money to break a password manager as the most expensive secret stored in it. If most of the secrets of the world are stored in there, ...
I think this approach is better for your mom than for your average developer. I use LastPass and it continues to be difficult even for me to use, less savvy people wouldn't have a hope.
How is it difficult? I trust the security settings on my laptop, so I'm always logged in on my main browser. The process is as simple as entering the website and clicking on log in. When I register to something new, I just click on "save password". I generate passwords using Alt+G.
Comparing this to not using password managers, (in my opinion) I would say that LastPass is both easier and safer alternative than not using one.
Yeah. It's slow, and just plain badly designed in places - crucial interactions hidden behind icon-only menus etc. I really hope they sort it out one day.
If someone steals the book, you're done. Sorry. Unless the words are merely suggestive of actual passphrase, an attacker with the book will break your accounts very, very quickly.
How is that any worse or more likely than if you use the same password for all sites and one is compromised? The author clearly states that this is only an alternative option if you are not willing to use a password manager.
The author clearly states that this is only an alternative option if you are not willing to use a password manager.
Which means it is no alternative at all. I'm a professional security consultant. If a client were to ask me to list the alternatives to using a password manager, I would say "Being hacked".
They would ask what else? I would say "That's it, that's the list".
Bad security advice is as bad as no security advice.
Having amateurs provide well-intentioned, well-stated, well-described, terrible, terrible ideas, ideas articulated well enough that they seem plausibly good, and having them being supported by people who ought to know better does the entire industry a disservice.
What would I tell my Mom? "I'm sorry, I really am, I know it's hard to use, but it really is the best alternative, the only really secure alternative, unless you want to keep a book of really strong passwords locked in your desk and only ever use your computer there."
Which, for average users and average use cases, is no alternative at all.
You're being purposefully obtuse if you think that every single person that doesn't use a password manager will get hacked... This advice is meant for people who will NOT use a password manager, which, believe it or not, is a large majority of the population. Look at the statistics for password use, it is undeniably more safe to use this method than to use "123456" or "password" which is the most likely alternative.
You will soon come to the conclusion that it is still easier to teach people to use a password manager for this because these schemes are nice but only get you this far before you have to revert to remember that single password again.