Password Strength

There is a lot of talk about password security strength. There are tools that let you type in your proposed password, and they provide an estimate, obviously based on math, of how long it would take to crack that password using current technology.
I find it interesting that some of us think this means our passwords are safe if the tool comes back with a high value.
In the past, I have used a specific set of rules to create passwords that I can recreate easily if I do not have access to where I store them. When testing these passwords with online tools like the GRC Password Haystacks tool, I get really great results. But, if you saw two or more of the passwords written down, it would not take long to figure out just about any of the passwords.
I already know the “correct” answer is to use a tool that generates very long, random passwords, and store them in a password vault. But the truth is, this is inconvenient at times, so a lot of us avoid it.

An example might be the initials of your favorite Disney character, several specific numbers and characters, the words from the URL of the website or company before the first period(.), and another number/character string (dD1978%Twit2001$). Always the same capital locations, always the same number/character sequences.

Anybody else use their own rule based passwords?

1 Like

All my new passwords are stored in LastPass and are as long as the site allows (32 being my current max.)

In the old days I used three or four smaller passwords and combined them depending on how strong I needed the password for a site to be. This allowed to me to come up to a site I had forgotten I had an account on, and guess my way to the correct password (in most cases.)

I still use these weaker passwords, but now they’re mostly for sites I would consider “throw away.” Something that has so little importance to me that I wouldn’t care if it got compromised and led to the compromise of all the other throw away sites I have created accounts on. (All of them being mostly one time use or something like “I don’t know what this is, so I’ll check it out with a junk account first.”) That usually means I also use a junk userID with it, and if I ever decide it has value, or I want to spend money with them, I will create a new account with stronger credentials. I almost never use anything as an userID or email that you could guess would be tied back to me… even if you knew me [intimately] well.

2 Likes

My rule is…
Don’t overthink and don’t look.

I open notepad and spam a load of key presses while looking away but occasionally push down my little finger on the shift key.
Then I look at the mess and remove any characters not allowed for the current site.

In the DOS days I used to use the Alt Gr ASCII symbols for passwords in software.
I wish that key still had the same use, as I would still prefer to use a story or sentence to pick the symbols I then use for the passphrase.

Side note. Why we need a key combo to open the emoji picker in Windows is a bit dumb, when we already have a dedicated and unused button we could now use for Unicode graphics.

1 Like

Which key is that? You’re referring to the “menu” key on the right side?

1 Like

no the Alt Gr key.
It doesn’t access any alternative graphics in Windows

1 Like

Nope, they are all just random strings. That’s what password managers are for! (And they can apply in most circumstances these days)

Rule-based passwords reduce the strength of the password. Although it probably doesn’t matter that much in some circumstances, it all depends on what kinds of attacks are likely to be thrown at the account. Passwords to your encrypted hard disk, for example, ought not to be weakened as they would then become much easier to brute force. Passwords for a random Joe to a website where there’s nothing especially sensitive to protect, where ordinarily the number of attempts at the password would be limited or other easier targets would exist, would be less important. But then, they would be less often used, so a password manager is still necessary.

It can be helpful to think of a clue to help remember any random password that needs to be typed in by hand, which can be anything from a word that looks similar to something that’s a similar shape, a pattern on the keyboard, etc. I don’t have a formula for that, though, other than using my imagination :slight_smile:

And yes, all of this is inconvenient. But it’s more inconvenient to put up with accounts getting hacked…

2 Likes

It depends on your region. It is used for a lot of characters over here, in Germany. ^ ² ³ { } } \ @ ~ | for example are all only available thorugh AltGr.

1 Like

Um that key doesn’t exist on any of my keyboards… that’s an international feature not available to most people in North America.

I borrowed some images from WASD Keyboards to hilight the difference between a 104 and 105 key keyboard. I am no expert having never used such a keyboard, but it looks to me like the left hand SHIFT key is split into two keys.
Keyboard104vs105

Edit: Well I guess I got that wrong, when I looked at the blown up keyboard, it appears (for theirs anyway) that ALT-GR is replacing the second ALT key on the right hand side that I have on my keyboards. The other difference appears to move the vertical pipe to the left from the right above Enter and allows the Enter key to be taller but narrower on the bottom, which allows an extra punctuation key to exist beside Enter.

2 Likes

I use the environment around myself at the time of producing a pass word for a sign in. Five human senses, and my mood at the time of setting up an account on a website. Something that is a part of my being at that time and space, at that moment. That only my brain cells can reproduce in my weird way of thinking. Then mix them up with Caps, numbers and symbols, then reverse the order sometimes.

1 Like

I use KeePass for password management and sync across devices via NextCloud. I use passwords lengths towards the maximum allowed. Not always the max allowed as that makes brute forcing easier if the password length is know.

Firefox also now has(or I have just noticed) an option when you right click a password field to auto generate a unique password and automatically store the new password / user in to Firefox. Firefox can also sync across your devices running Firefox. Other browsers may do this too. This is very convenient but using your internet facing browser as your password manager carries a lot of risk from remote exploit kits and local stealers/evil maid attacks etc.

Unique passwords for each account is best practice. You can use a Password manger / service to generate these or you can use your own formula. Your own formula is weaker as an adversary could decipher the formula and breach further assets. Depending on your threat model this may be an issue or not. If you are a low value target the risk is low of a adversary paying enough attention to see two account breaches and link them to you and notice you have used a formula to devise passwords, even a simple one like 123google123 for google and 123reddit123 for reddit etc as they are just spamming brute force credential databases against targets. Higher value targets is a different story. On the other hand having all your passwords in a password manager is also a single point of failure that gives your adversary all the keys to the kingdom. 2FA I find very irritating.

You can check your logins against KNOWN breaches on Troy Hunt’s website “haveibeenpwned.com”.

Check if your email(s) has been in a known breach: https://haveibeenpwned.com/

Check if your password(s) has been found in a known breach: https://haveibeenpwned.com/Passwords

3 Likes

I find it very interesting how a lot of us are willing to use the internet and services provided on it without really knowing what is going on. Troy Hunt, who’s website “haveibeenpwned.com” even mentions this in his blog in respect to his website’s services. To quote him, “Do not send any password you actively use to a third-party service - even this one!” and " If you’re worried about me tracking anything, don’t use the service. That’s not intended to be a flippant statement, rather a simple acknowledgment that you need to trust the operator of the service if you’re going to be sending passwords in any shape or form". I like his openness and honesty in respect to the fact that services like his could do a lot more than most of us know about if the creator wants it to, and we chose to trust them. And, I think it is true of almost everything we do on our devices that are provided by others.
We make decisions, both consciously and unconsciously to use these devices and applications. Some of us realise what we are putting at risk, and chose to do it. Others go out of their way to try to protect themselves. And I think the vast majority chose to do it because of the convenience it affords them.

4 Likes

Exactly, we really just do not know. And there is not enough time in the world to read every word of every services terms and conditions and check if it is real and they abide by it and the full legal ramifications and then research the backgrounds of everyone involved in the business etc etc.

For example I thought for a reasonable amount of time on whether to put “haveibeenpwned.com” links in my reply above. As you allude to, I do not know Troy Hunt personally and have not checked his service infrastructure for security and checked every line of the code of his software stack etc. I often think about these things in depth at least relative to my thinking.

So we tend to use generalized rules so we can actually get things done. So my thought process was that I have heard and read much about Troy Hunt from him other people I “trust”. So I am willing to take the calculated risk that he is a “good” person with good intentions and that his infrastructure is secure to a reasonable standard. And that posting the links to his website would outweigh the potential risk of this not being true for the benefit of someone checking their credentials and may be changing their password habits for the better security and maybe not losing control of some account and the hassle involved with that. I did originally write “use at your own risk” but decided to take that out due to the scare factor. I also started to think that I should say not to put your actual password in and use a SHA1 hash of your password that the website allows for better protection. But then I thought that if people knew what that meant then they probably should already know what good passwords are and people that may benefit from “haveibeenpwned.com” would not go / lose interest. Then I started thinking that SHA1 is not secure now either so… on it goes.

I do not know what the answer is and that people do do things for convenience but there is no other option as we have to take these shortcuts to get things achieved and hope that we have applied enough due diligence not to get bitten. As I try to think these things through in my day to day life my procrastination becomes epic :crazy_face:

1 Like

There is no need for consternation with passwords if you make a unique password for each site or service. You are basically trading the site a bit of random text for access. There is nothing they can do with that information if it doesn’t apply to anything anywhere else. Be more worried about which services you give personally identifiable information (I’m looking at you FaceBroke.)

3 Likes

In places where I can’t use LastPass I use a keyboard sequence like:4321 #@!, then hop to another part of the keyboard and do something similar. I only have to remember the starting point(s). Example ends up being something like:76543&^%#UyTrE

1 Like

Don’t use my father’s middle name as your password

SvAJioD

5 Likes

This sounds like “keyboard trails” kind of password generation. Most of the password crackers know people do this and they have keyboard trails sequences loaded in their databases too. (In another life, where I was in charge of development for embedded security for a product, I actually wrote a detector for keyboard trails in potential passwords.)

4 Likes

Yeah, I suspect that sequence-approach is considerably less secure that a random 8-10 char password. The first time I read that I thought you were suggesting something more complex until I looked at my keyboard.

If you’re going to do something like that, a non-key-position-base “prefix” plus some other per-use code is a “better” idea. But if the pwd were to be compromised, you’re still screwed if you use that approach on other sites.

1 Like

I recently signed up for iDrive. (Some day I’ll write a review of that experience.) When it came time to come up with an encryption key I thought, what the heck, I can just store this in LastPass so I had LastPass come up the key for me. 45 characters. Downloaded the software. Had to enter the encryption key. It wouldn’t let me cut and paste. I had to manually enter the 45 character key. :crazy_face: Got it right on the second try. Now it lets me cut-and-paste.

2 Likes

I think that speaks to iDrive’s idea of security. How could they expect you to enter a long/complex key without copy/paste. I guess they don’t! Just use your mother’s maiden name or high school mascot – you’ll be fine. :wink: Or maybe it was just a bug?

There are a lot of misguided ideas about security. Like sites that make you change your password every 60-120 days. Stupid, yet it’s a policy certain government agencies had in place some years ago.

I’ve experienced problems filling on sites with LastPass, but those have been more and more mitigated or fixed over past few years.

1 Like

Our card merchants PCI DSS compliance portal makes me do this every time I log in to run the network scans. The NIST guidelines changed a while back now saying that password expiry is not recommended now as it once was.

NIST:

" Q-B05:

Is password expiration no longer recommended?

A-B05:

SP 800-63B Section 5.1.1.2 paragraph 9 states:

“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”

Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations. But if there is evidence that the memorized secret has been compromised, such as by a breach of the verifier’s hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.

This was also interesting:

Q-B06:

Are password composition rules no longer recommended?

A-B06:

SP 800-63B Section 5.1.1.2 paragraph 9 recommends against the use of composition rules (e.g., requiring lower-case, upper-case, digits, and/or special characters) for memorized secrets. These rules provide less benefit than might be expected because users tend to use predictable methods for satisfying these requirements when imposed (e.g., appending a ! to a memorized secret when required to use a special character). The frustration they often face may also cause them to focus on minimally satisfying the requirements rather than devising a memorable but complex secret. Instead, a blacklist of common passwords prevents subscribers from choosing very common values that would be particularly vulnerable, especially to an online attack.

Composition rules also inadvertently encourage people to use the same password across multiple systems since they often result in passwords that are difficult for people to memorize.

1 Like